Skip to main content

Microsoft Defender for Endpoint CVE-2026-45647

| EUVDEUVD-2026-35571 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-09 secure@microsoft.com GHSA-2rv3-8j9r-chw9
7.0
CVSS 3.1 · NVD
Temporal: 4.8
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
4.8 MEDIUM
cvss
vuln.today AI
7.0 HIGH

Local-only because attacker needs a shell (AV:L); winning the race makes it AC:H; any logged-in user suffices so PR:L; successful root yields full C/I/A impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jun 19, 2026 - 03:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 19, 2026 - 03:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 19, 2026 - 03:22 vuln.today
cvss_changed
Severity Changed
Jun 19, 2026 - 03:22 NVD
MEDIUM HIGH
CVSS changed
Jun 19, 2026 - 03:22 NVD
5.5 (MEDIUM) 7.0 (HIGH)
Analysis Generated
Jun 09, 2026 - 19:37 vuln.today
Patch available
Jun 09, 2026 - 19:03 EUVD
CVE Published
Jun 09, 2026 - 17:17 nvd
MEDIUM 5.5

DescriptionNVD

Time-of-check time-of-use (toctou) race condition in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Microsoft Defender for Endpoint for Mac (versions 101.0.0 through 101.26042.0010) allows an authenticated local attacker to win a time-of-check/time-of-use race and gain elevated privileges on the host. No public exploit identified at time of analysis, and EPSS is very low (0.05%), but SSVC rates technical impact as 'total' because successful exploitation yields full compromise of the endpoint security agent.

Technical ContextAI

The flaw is a CWE-367 Time-of-Check Time-of-Use (TOCTOU) race condition in the macOS build of Microsoft Defender for Endpoint (CPE: cpe:2.3:a:microsoft:defender_for_endpoint on macos). TOCTOU bugs arise when a privileged process validates a resource (file path, symlink, permissions, ownership) and then operates on it as a separate step - a concurrent unprivileged process can swap the resource between the check and the use, causing the privileged process to act on attacker-controlled data. In an EDR agent context this typically means file operations performed by a root-level daemon (mdatp / wdavdaemon) can be redirected via symlink or path substitution to overwrite, read, or chown attacker-chosen paths, yielding root.

RemediationAI

Vendor-released patch: Microsoft Defender for Endpoint for Mac 101.26042.0011 or later - upgrade all managed macOS endpoints per the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45647. Where rapid patching is blocked, compensating controls are limited because the vulnerable code runs as a privileged daemon on the endpoint itself: restrict interactive local logon on the affected Macs to trusted administrators only (reduces the pool of attackers who can attempt the race), enable and monitor mdatp audit logging plus shell/process telemetry for repeated rapid file-rename or symlink-creation patterns under directories Defender touches (helps detect race attempts, but creates noise), and disable shared/guest accounts on shared Macs (side effect: blocks legitimate kiosk or lab use cases). None of these substitute for the upgrade.

CVE-2026-21537 HIGH
8.8 Feb 10

Microsoft Defender for Endpoint on Linux contains a code injection vulnerability that enables adjacent network attackers

CVE-2024-49057 HIGH
8.1 Dec 12

Microsoft Defender for Endpoint on Android Spoofing Vulnerability. Rated high severity (CVSS 8.1), this vulnerability is

CVE-2024-21315 HIGH
7.8 Feb 13

Microsoft Defender for Endpoint Protection Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vu

CVE-2022-35828 HIGH
7.8 Sep 13

Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vulne

CVE-2025-26684 MEDIUM
6.7 May 13

External control of file name or path in Microsoft Defender for Endpoint allows an authorized attacker to elevate privil

CVE-2024-49071 MEDIUM
6.5 Dec 12

Improper authorization of an index that contains sensitive information from a Global Files search in Windows Defender al

CVE-2022-33637 MEDIUM
6.5 Jul 12

Microsoft Defender for Endpoint Tampering Vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotel

CVE-2022-23278 MEDIUM
5.9 Mar 09

Microsoft Defender for Endpoint Spoofing Vulnerability. Rated medium severity (CVSS 5.9), this vulnerability is remotely

CVE-2024-43614 MEDIUM
5.5 Oct 08

Relative path traversal in Microsoft Defender for Endpoint allows an authorized attacker to perform spoofing locally. Ra

CVE-2025-47161 HIGH POC
7.8 May 15

Improper access control in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally.

Share

CVE-2026-45647 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy